Senators warn Pentagon: Get China’s telecom hacking under control

The senators also present evidence in their letter that U.S. telecommunications companies have worked with outside cybersecurity firms to conduct audits of their systems related to the telecommunications protocol known as SS7, but have refused to provide the results of those assessments to the Defense Department . “The Department of Defense has asked the airlines for copies of the results of their third-party audits and has been informed that these are considered confidential attorney-client information,” the department wrote in response to questions from Wyden’s office.

The Pentagon contracts with major U.S. operators for much of its telecommunications infrastructure, meaning it takes on all potential vulnerabilities in corporate security, but also the old vulnerabilities at the heart of their phone networks.

AT&T and Verizon did not respond to WIRED’s multiple requests for comment. T-Mobile was also reportedly attacked as part of the Salt Typhoon campaign, but the company said in a blog post last week that it had seen no signs of compromise. T-Mobile has contracts with the Army, Air Force, Special Operations Command and many other departments of the Department of Defense. And in June, the company announced a 10-year, $2.67 billion contract with the Navy that “gives all Department of Defense agencies the opportunity to place orders for T-Mobile’s wireless services and equipment for the next 10 years.” to give up.”

In an interview with WIRED, T-Mobile Chief Security Officer Jeff Simon said the company recently discovered attempted hacking of its routing infrastructure through an unnamed wireline partner that was compromised. T-Mobile isn’t sure if the “bad actor” was Salt Typhoon, but whoever it was, Simon says the company quickly repelled the break-in attempts.

“You can’t access all of our systems from our edge routing infrastructure – they’re kind of locked in there, and then you have to try to switch between that environment and another to get more access,” says Simon. “That requires them to do quite loud things, and that’s where we were able to detect them. We have invested heavily in our surveillance capabilities. Not that they’re perfect, they never will be, but when someone around us is loud we like to think we’ll catch them.”

Amid the Salt Typhoon chaos, T-Mobile’s claim that it suffered no breach in this case is notable. Simon says the company is still working with law enforcement and the broader telecommunications industry as the situation progresses. But it is no coincidence that T-Mobile has invested so heavily in cybersecurity. The company suffered from repeated, large-scale security breaches for a decade that exposed an immense amount of customer data. Simon says the company has undergone a significant security transformation since he joined in May 2023. For example, the company has implemented mandatory two-factor authentication with physical security keys for everyone who interacts with T-Mobile systems, including all contractors and employees. Such measures have dramatically reduced the risk of threats such as phishing, he says. And further improvements in device population management and network discovery have helped give the company confidence in its ability to defend itself.

“The day we made the switch, we blocked some people from access because they hadn’t received their Yubikeys yet. There was a line at the door of our headquarters,” says Simon. “Any life form that accesses T-Mobile systems must receive a Yubikey from us.”

Still, the fact remains that the U.S. telecommunications infrastructure has fundamental vulnerabilities. Although T-Mobile successfully thwarted Salt Typhoon’s recent intrusion attempts, the espionage campaign is a dramatic example of the long-standing insecurity throughout the industry.

“We urge you to consider whether the Department of Defense should decline to renew these contracts,” the senators wrote, “and instead renegotiate with contracted wireless carriers to require them to implement meaningful cyber defenses against surveillance threats .”

Additional reporting by Dell Cameron.